Added support to manage ssh certificates

2014-02-09 23:38:30 +01:00 · 2014-02-09 23:38:30 +01:00 · 47211d0648
commit 47211d0648
parent 6e418aa945
5 changed files with 104 additions and 41 deletions
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-   Copyright (c) 2013 Salt Stack Formulas
+   Copyright (c) 2013-2014 Salt Stack Formulas

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/README.rst
+++ b/README.rst
@ -18,6 +18,21 @@ Available states

 Installs the ``openssh`` server package and service.

+``openssh.auth``
+-----------
+
+Manages SSH certificates for users.
+
+``openssh.banner``
+------------------
+
+Installs a banner that users see when SSH-ing in.
+
+``openssh.client``
+------------------
+
+Installs the openssh client package.
+
 ``openssh.config``
 ------------------

@ -26,12 +41,3 @@ Installs the ssh daemon configuration file included in this formula
 by values from pillar. ``pillar.example`` results in the generation
 of the default ``sshd_config`` file on Debian Wheezy.

-``openssh.client``
------------------
-
-Installs the openssh client package.
-
-``openssh.banner``
------------------
-
-Installs a banner that users see when SSH-ing in.
--- a/openssh/auth.sls
+++ b/openssh/auth.sls
@ -0,0 +1,43 @@
+include:
+  - openssh
+
+{% from "openssh/map.jinja" import openssh with context %}
+{% set openssh_pillar = pillar.get('openssh', {}) %}
+{% set auth = openssh_pillar.get('auth', {}) %}
+{% for user,keys in auth.items() -%}
+  {% for key in keys -%}
+    {% if 'present' in key and key['present'] %}
+{{ key['name'] }}:
+  ssh_auth.present:
+    - user: {{ user }}
+      {% if 'source' in key %}
+    - source: {{ key['source'] }}
+      {% else %}
+        {% if 'enc' in key %}
+    - enc: {{ key['enc'] }}
+        {% endif %}
+        {% if 'comment' in key %}
+    - comment: {{ key['comment'] }}
+        {% endif %}
+        {% if 'options' in key %}
+    - options: {{ key['options'] }}
+        {% endif %}
+      {% endif %}
+    - require:
+      - service: {{ openssh.service }}
+    {% else %}
+{{ key['name'] }}:
+  ssh_auth.absent:
+    - user: {{ user }}
+      {% if 'enc' in key %}
+    - enc: {{ key['enc'] }}
+      {% endif %}
+      {% if 'comment' in key %}
+    - comment: {{ key['comment'] }}
+      {% endif %}
+      {% if 'options' in key %}
+    - options: {{ key['options'] }}
+      {% endif %}
+    {% endif %}
+  {% endfor %}
+{% endfor %}
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@ -1,4 +1,5 @@
-{% set sshd_config = pillar.get('sshd_config', {}) %}
+{% set openssh_pillar = pillar.get('openssh', {}) %}
+{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}

 # This file is managed by salt. Manual changes risk being overwritten.
 # The contents of the original sshd_config are kept on the bottom for
--- a/pillar.example
+++ b/pillar.example
@ -1,30 +1,43 @@
-sshd_config:
-  Port: 22
-  Protocol: 2
-  HostKey:
-    - /etc/ssh/ssh_host_rsa_key
-    - /etc/ssh/ssh_host_dsa_key
-    - /etc/ssh/ssh_host_ecdsa_key
-  UsePrivilegeSeparation: yes
-  KeyRegenerationInterval: 3600
-  ServerKeyBits: 768
-  SyslogFacility: AUTH
-  LogLevel: INFO
-  LoginGraceTime: 120
-  PermitRootLogin: yes
-  StrictModes: yes
-  RSAAuthentication: yes
-  PubkeyAuthentication: yes
-  IgnoreRhosts: yes
-  RhostsRSAAuthentication: no
-  HostbasedAuthentication: no
-  PermitEmptyPasswords: no
-  ChallengeResponseAuthentication: no
-  X11Forwarding: yes
-  X11DisplayOffset: 10
-  PrintMotd: no
-  PrintLastLog: yes
-  TCPKeepAlive: yes
-  AcceptEnv: "LANG LC_*"
-  Subsystem: "sftp /usr/lib/openssh/sftp-server"
-  UsePAM: yes
+openssh:
+  sshd_config:
+    Port: 22
+    Protocol: 2
+    HostKey:
+      - /etc/ssh/ssh_host_rsa_key
+      - /etc/ssh/ssh_host_dsa_key
+      - /etc/ssh/ssh_host_ecdsa_key
+    UsePrivilegeSeparation: yes
+    KeyRegenerationInterval: 3600
+    ServerKeyBits: 768
+    SyslogFacility: AUTH
+    LogLevel: INFO
+    LoginGraceTime: 120
+    PermitRootLogin: yes
+    StrictModes: yes
+    RSAAuthentication: yes
+    PubkeyAuthentication: yes
+    IgnoreRhosts: yes
+    RhostsRSAAuthentication: no
+    HostbasedAuthentication: no
+    PermitEmptyPasswords: no
+    ChallengeResponseAuthentication: no
+    X11Forwarding: yes
+    X11DisplayOffset: 10
+    PrintMotd: no
+    PrintLastLog: yes
+    TCPKeepAlive: yes
+    AcceptEnv: "LANG LC_*"
+    Subsystem: "sftp /usr/lib/openssh/sftp-server"
+    UsePAM: yes
+
+  auth:
+    joe:
+      - name: JOE_VALID_SSH_PUBLIC_KEY
+        present: True
+        enc: ssh-rsa
+        comment: main key
+      - name: JOE_NON_VALID_SSH_PUBLIC_KEY
+        present: False
+        enc: ssh-rsa
+        comment: obsolete key - removed
+